Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-oauthlib for openSUSE:Factory
checked in at 2022-10-27 13:53:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-oauthlib (Old)
and /work/SRC/openSUSE:Factory/.python-oauthlib.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-oauthlib"
Thu Oct 27 13:53:25 2022 rev:33 rq:1030997 version:3.2.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-oauthlib/python-oauthlib.changes
2022-09-17 20:08:26.704828892 +0200
+++
/work/SRC/openSUSE:Factory/.python-oauthlib.new.2275/python-oauthlib.changes
2022-10-27 13:53:45.756442104 +0200
@@ -1,0 +2,7 @@
+Sat Oct 22 16:22:08 UTC 2022 - Arun Persaud <[email protected]>
+
+- update to version 3.2.2:
+ * OAuth2.0 Provider: * CVE-2022-36087
+- Also remove the conditional definition of python_module.
+
+-------------------------------------------------------------------
Old:
----
oauthlib-3.2.1.tar.gz
New:
----
oauthlib-3.2.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-oauthlib.spec ++++++
--- /var/tmp/diff_new_pack.AVc4fN/_old 2022-10-27 13:53:46.252444634 +0200
+++ /var/tmp/diff_new_pack.AVc4fN/_new 2022-10-27 13:53:46.260444674 +0200
@@ -16,10 +16,9 @@
#
-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
Name: python-oauthlib
-Version: 3.2.1
+Version: 3.2.2
Release: 0
Summary: A Generic Implementation of the OAuth Request-Signing Logic
License: BSD-3-Clause
++++++ oauthlib-3.2.1.tar.gz -> oauthlib-3.2.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.1/CHANGELOG.rst
new/oauthlib-3.2.2/CHANGELOG.rst
--- old/oauthlib-3.2.1/CHANGELOG.rst 2022-09-09 21:53:55.000000000 +0200
+++ new/oauthlib-3.2.2/CHANGELOG.rst 2022-10-17 21:42:24.000000000 +0200
@@ -1,11 +1,15 @@
Changelog
=========
+3.2.2 (2022-10-17)
+------------------
+OAuth2.0 Provider:
+* CVE-2022-36087
+
3.2.1 (2022-09-09)
------------------
OAuth2.0 Provider:
* #803: Metadata endpoint support of non-HTTPS
-* CVE-2022-36087
OAuth1.0:
* #818: Allow IPv6 being parsed by signature
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.1/PKG-INFO new/oauthlib-3.2.2/PKG-INFO
--- old/oauthlib-3.2.1/PKG-INFO 2022-09-09 22:17:50.956804500 +0200
+++ new/oauthlib-3.2.2/PKG-INFO 2022-10-17 21:52:51.046814000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: oauthlib
-Version: 3.2.1
+Version: 3.2.2
Summary: A generic, spec-compliant, thorough implementation of the OAuth
request-signing logic
Home-page: https://github.com/oauthlib/oauthlib
Author: The OAuthlib Community
@@ -173,5 +173,3 @@
.. _`supported features`:
https://oauthlib.readthedocs.io/en/latest/feature_matrix.html
For a full changelog see ``CHANGELOG.rst``.
-
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.1/oauthlib/__init__.py
new/oauthlib-3.2.2/oauthlib/__init__.py
--- old/oauthlib-3.2.1/oauthlib/__init__.py 2022-09-06 22:40:22.000000000
+0200
+++ new/oauthlib-3.2.2/oauthlib/__init__.py 2022-10-17 21:42:43.000000000
+0200
@@ -12,7 +12,7 @@
from logging import NullHandler
__author__ = 'The OAuthlib Community'
-__version__ = '3.2.1'
+__version__ = '3.2.2'
logging.getLogger('oauthlib').addHandler(NullHandler())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/signature.py
new/oauthlib-3.2.2/oauthlib/oauth1/rfc5849/signature.py
--- old/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/signature.py 2022-09-06
22:10:05.000000000 +0200
+++ new/oauthlib-3.2.2/oauthlib/oauth1/rfc5849/signature.py 2022-10-17
21:37:37.000000000 +0200
@@ -37,6 +37,7 @@
import binascii
import hashlib
import hmac
+import ipaddress
import logging
import urllib.parse as urlparse
import warnings
@@ -130,7 +131,12 @@
raise ValueError('uri must be a string.')
# FIXME: urlparse does not support unicode
- scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)
+ output = urlparse.urlparse(uri)
+ scheme = output.scheme
+ hostname = output.hostname
+ port = output.port
+ path = output.path
+ params = output.params
# The scheme, authority, and path of the request resource URI `RFC3986`
# are included by constructing an "http" or "https" URI representing
@@ -152,13 +158,22 @@
# 1. The scheme and host MUST be in lowercase.
scheme = scheme.lower()
- netloc = netloc.lower()
# Note: if ``host`` is used, it will be converted to lowercase below
+ if hostname is not None:
+ hostname = hostname.lower()
# 2. The host and port values MUST match the content of the HTTP
# request "Host" header field.
if host is not None:
- netloc = host.lower() # override value in uri with provided host
+ # NOTE: override value in uri with provided host
+ # Host argument is equal to netloc. It means it's missing scheme.
+ # Add it back, before parsing.
+
+ host = host.lower()
+ host = f"{scheme}://{host}"
+ output = urlparse.urlparse(host)
+ hostname = output.hostname
+ port = output.port
# 3. The port MUST be included if it is not the default port for the
# scheme, and MUST be excluded if it is the default. Specifically,
@@ -169,33 +184,28 @@
# .. _`RFC2616`: https://tools.ietf.org/html/rfc2616
# .. _`RFC2818`: https://tools.ietf.org/html/rfc2818
- if ':' in netloc:
- # Contains a colon ":", so try to parse as "host:port"
+ if hostname is None:
+ raise ValueError('missing host')
- hostname, port_str = netloc.split(':', 1)
-
- if len(hostname) == 0:
- raise ValueError('missing host') # error: netloc was ":port" or
":"
-
- if len(port_str) == 0:
- netloc = hostname # was "host:", so just use the host part
- else:
- try:
- port_num = int(port_str) # try to parse into an integer number
- except ValueError:
- raise ValueError('port is not an integer')
-
- if port_num <= 0 or 65535 < port_num:
- raise ValueError('port out of range') # 16-bit unsigned ints
- if (scheme, port_num) in (('http', 80), ('https', 443)):
- netloc = hostname # default port for scheme: exclude port num
- else:
- netloc = hostname + ':' + str(port_num) # use hostname:port
+ # NOTE: Try guessing if we're dealing with IP or hostname
+ try:
+ hostname = ipaddress.ip_address(hostname)
+ except ValueError:
+ pass
+
+ if isinstance(hostname, ipaddress.IPv6Address):
+ hostname = f"[{hostname}]"
+ elif isinstance(hostname, ipaddress.IPv4Address):
+ hostname = f"{hostname}"
+
+ if port is not None and not (0 < port <= 65535):
+ raise ValueError('port out of range') # 16-bit unsigned ints
+ if (scheme, port) in (('http', 80), ('https', 443)):
+ netloc = hostname # default port for scheme: exclude port num
+ elif port:
+ netloc = f"{hostname}:{port}" # use hostname:port
else:
- # Does not contain a colon, so entire value must be the hostname
-
- if len(netloc) == 0:
- raise ValueError('missing host') # error: netloc was empty string
+ netloc = hostname
v = urlparse.urlunparse((scheme, netloc, path, params, '', ''))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.1/oauthlib/uri_validate.py
new/oauthlib-3.2.2/oauthlib/uri_validate.py
--- old/oauthlib-3.2.1/oauthlib/uri_validate.py 2021-06-01 14:20:37.000000000
+0200
+++ new/oauthlib-3.2.2/oauthlib/uri_validate.py 2022-10-17 21:37:37.000000000
+0200
@@ -66,7 +66,7 @@
)
# IPv6address
-IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
+IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"
# IPvFuture = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" %
locals()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.1/oauthlib.egg-info/PKG-INFO
new/oauthlib-3.2.2/oauthlib.egg-info/PKG-INFO
--- old/oauthlib-3.2.1/oauthlib.egg-info/PKG-INFO 2022-09-09
22:17:50.000000000 +0200
+++ new/oauthlib-3.2.2/oauthlib.egg-info/PKG-INFO 2022-10-17
21:52:50.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: oauthlib
-Version: 3.2.1
+Version: 3.2.2
Summary: A generic, spec-compliant, thorough implementation of the OAuth
request-signing logic
Home-page: https://github.com/oauthlib/oauthlib
Author: The OAuthlib Community
@@ -173,5 +173,3 @@
.. _`supported features`:
https://oauthlib.readthedocs.io/en/latest/feature_matrix.html
For a full changelog see ``CHANGELOG.rst``.
-
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.1/tests/oauth1/rfc5849/test_signatures.py
new/oauthlib-3.2.2/tests/oauth1/rfc5849/test_signatures.py
--- old/oauthlib-3.2.1/tests/oauth1/rfc5849/test_signatures.py 2022-09-06
22:10:05.000000000 +0200
+++ new/oauthlib-3.2.2/tests/oauth1/rfc5849/test_signatures.py 2022-10-17
21:37:37.000000000 +0200
@@ -229,6 +229,26 @@
base_string_uri('http:///path', 'OVERRIDE.example.com'))
# ----------------
+ # Host: valid host allows for IPv4 and IPv6
+
+ self.assertEqual(
+ 'https://192.168.0.1/',
+ base_string_uri('https://192.168.0.1')
+ )
+ self.assertEqual(
+ 'https://192.168.0.1:13000/',
+ base_string_uri('https://192.168.0.1:13000')
+ )
+ self.assertEqual(
+ 'https://[123:db8:fd00:1000::5]:13000/',
+ base_string_uri('https://[123:db8:fd00:1000::5]:13000')
+ )
+ self.assertEqual(
+ 'https://[123:db8:fd00:1000::5]/',
+ base_string_uri('https://[123:db8:fd00:1000::5]')
+ )
+
+ # ----------------
# Port: default ports always excluded; non-default ports always
included
self.assertEqual(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.1/tests/test_uri_validate.py
new/oauthlib-3.2.2/tests/test_uri_validate.py
--- old/oauthlib-3.2.1/tests/test_uri_validate.py 2021-06-01
14:20:37.000000000 +0200
+++ new/oauthlib-3.2.2/tests/test_uri_validate.py 2022-10-17
21:37:37.000000000 +0200
@@ -1,4 +1,4 @@
-import oauthlib
+import unittest
from oauthlib.uri_validate import is_absolute_uri
from tests.unittest import TestCase
@@ -7,7 +7,6 @@
class UriValidateTest(TestCase):
def test_is_absolute_uri(self):
-
self.assertIsNotNone(is_absolute_uri('schema://example.com/path'))
self.assertIsNotNone(is_absolute_uri('https://example.com/path'))
self.assertIsNotNone(is_absolute_uri('https://example.com'))
@@ -17,17 +16,69 @@
self.assertIsNotNone(is_absolute_uri('http://example.com'))
self.assertIsNotNone(is_absolute_uri('http://example.com/path'))
self.assertIsNotNone(is_absolute_uri('http://example.com:80/path'))
- self.assertIsNotNone(is_absolute_uri('com.example.bundle.id:/'))
+
+ def test_query(self):
+ self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo'))
+
self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar'))
+
self.assertIsNotNone(is_absolute_uri('http://example.com:80/path?foo=bar&fruit=banana'))
+
+ def test_fragment_forbidden(self):
+ self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo'))
+
self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar'))
+
self.assertIsNone(is_absolute_uri('http://example.com:80/path#foo=bar&fruit=banana'))
+
+ def test_combined_forbidden(self):
+
self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo#bar'))
+
self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo&bar#fruit'))
+
self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar#fruit=banana'))
+
self.assertIsNone(is_absolute_uri('http://example.com:80/path?foo=1&bar=2#fruit=banana&bar=foo'))
+
+ def test_custom_scheme(self):
+ self.assertIsNotNone(is_absolute_uri('com.example.bundle.id://'))
+
+ def test_ipv6_bracket(self):
self.assertIsNotNone(is_absolute_uri('http://[::1]:38432/path'))
self.assertIsNotNone(is_absolute_uri('http://[::1]/path'))
self.assertIsNotNone(is_absolute_uri('http://[fd01:0001::1]/path'))
self.assertIsNotNone(is_absolute_uri('http://[fd01:1::1]/path'))
self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]/path'))
+
self.assertIsNotNone(is_absolute_uri('http://[0123:4567:89ab:cdef:0123:4567:89ab:cdef]:8080/path'))
+
+ @unittest.skip("ipv6 edge-cases not supported")
+ def test_ipv6_edge_cases(self):
+ self.assertIsNotNone(is_absolute_uri('http://2001:db8::'))
+ self.assertIsNotNone(is_absolute_uri('http://::1234:5678'))
+ self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678'))
+
self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:7777:8888'))
+
self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF'))
+
self.assertIsNotNone(is_absolute_uri('http://0123:4567:89ab:cdef:0123:4567:89ab:cdef/path'))
+ self.assertIsNotNone(is_absolute_uri('http://::'))
+
self.assertIsNotNone(is_absolute_uri('http://2001:0db8:0001:0000:0000:0ab9:C0A8:0102'))
+
+ @unittest.skip("ipv6 dual ipv4 not supported")
+ def test_ipv6_dual(self):
+
self.assertIsNotNone(is_absolute_uri('http://2001:db8:3333:4444:5555:6666:1.2.3.4'))
+ self.assertIsNotNone(is_absolute_uri('http://::11.22.33.44'))
+
self.assertIsNotNone(is_absolute_uri('http://2001:db8::123.123.123.123'))
+ self.assertIsNotNone(is_absolute_uri('http://::1234:5678:91.123.4.56'))
+ self.assertIsNotNone(is_absolute_uri('http://::1234:5678:1.2.3.4'))
+
self.assertIsNotNone(is_absolute_uri('http://2001:db8::1234:5678:5.6.7.8'))
+
+ def test_ipv4(self):
self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
self.assertIsNotNone(is_absolute_uri('http://127.0.0.1:38432/'))
self.assertIsNotNone(is_absolute_uri('http://127.1:38432/'))
+ def test_failures(self):
self.assertIsNone(is_absolute_uri('http://example.com:notaport/path'))
self.assertIsNone(is_absolute_uri('wrong'))
self.assertIsNone(is_absolute_uri('http://[:1]:38432/path'))
self.assertIsNone(is_absolute_uri('http://[abcd:efgh::1]/'))
+
+ def test_recursive_regex(self):
+ from datetime import datetime
+ t0 = datetime.now()
+ is_absolute_uri('http://[::::::::::::::::::::::::::]/path')
+ t1 = datetime.now()
+ spent = t1 - t0
+ self.assertGreater(0.1, spent.total_seconds(), "possible recursive
loop detected")
